General

  • Target

    AnyDeskEN.7z

  • Size

    6MB

  • Sample

    220816-wlc17sfbh7

  • MD5

    e91381cfc4ec3cb6038d56b547cea420

  • SHA1

    9c8add80f14a2a83b666f3ed5098b8730738b545

  • SHA256

    94d40a523f9368e882a2a31d49442682482684f79cda5b66a65f866925091792

  • SHA512

    5ba801033bc43b57b7fd94d15c70e71a2199c7ae088ef0f0a6a4c6dd7e47159d9be599fa6dafd2be1a22aaf2e5d408ec3d5fd973dceb01ed507314c491a50120

  • SSDEEP

    196608:/yrt9xp4TfLMD5kszUd6cs/Q0LQUFZahhq:/yrD/4TTK5ksQdyX7ah0

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkysupp@tuta.io 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ $> Life is too short to be sad. Be not sad, money, it is only paper <$ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

darkysupp@tuta.io

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Targets

    • Target

      AnyDeskEN.exe

    • Size

      6MB

    • MD5

      81a222d0d359ab9104a587a08786abbc

    • SHA1

      4b251260608828f6ce41f4244dcdb8ebe1e5a0b4

    • SHA256

      1a9b00b4d133278901dc941c88bd83708782fa93293b00f775a7ebff4dc8d26a

    • SHA512

      310b05803327b1c1ec343918cff097b1f63c75d7ff704bffa7ee15cd22925fd6d6a5d32f6276e46706d810f656a28868cae3feb0c5d14b87e30ca288d5a81642

    • SSDEEP

      98304:olgps0DrlKJ+vUYhWlO8M2xT6pX2fvnY8nIoVgUrWLHJ8Z3USv+7iBlnlpHZuhE2:o6wJ6b58M5pWnY6Io3WknfTBJ

    • DarkyLock

      Ransomware family first seen in July 2022.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks